On ma, 14 touko 2018, David Harvey wrote:
Thank you, that's a great help.
One follow up question. Is there some way of cajoling ipa host-show into
only displaying specific fields? Or is it better just to use ldapsearch
with a suitable search filter (given both need to use the host or a service
keytab if this is to be run by puppet).
If you only need them, just use ldapsearch.
There is no way to control
what fields returned by IPA CLI -- it is a default set or everything
(--all).
The fields I'm interested in (descriptions, platform, OS, Class)
are
thankfully available (at least using the host principal).
Good.
Kind regards,
David
On 14 May 2018 at 14:14, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
> On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote:
>
>> Dear list,
>>
>> I'm currently tinkering with adding host attributes (As custom attrs, or
>> for the moment into the description field). My intention is to then read
>> these from the host in order to define some local behaviour for scripts or
>> puppet.
>>
>> Example - a concept of machine ownership, or device class for local
>> scripts
>> or puppet to know about.
>>
>> The two ways I've thought of so far entail
>>
>> - having the CLI tools installed to run IPA commands, or
>> - kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
>> I'm interested in.
>>
>> It occurred to me that sssd or some other components I understand less
>> well
>> might already be able to trivially read the host data IPA holds, or that
>> the kinit might not be needed given the machine can already read out
>> getent
>> aprts direct from LDAP/IPA values with a non network account in use.
>>
>> Any ideas or suggestion around this so I don't reinvent the wheel?
>>
> While SSSD can be taught to read user-specific attributes by adding them
> in the configuration, the same cannot be done for host-specific
> attributes. So you are back to those two methods you outline above.
>
> One note is that you'd need to add permissions to be able to read the
> attributes we don't explicitly allow for services/host principals. See
>
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for
> details on how to achieve that. For plugin examples look at my
>
github.com/abbra/ page for freeipa-* plugin repos.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland